You access the Event Summary sidebar when you click an entry row in the Detection Events widget of the NSX Network Detection and ResponseEvents page.

The following section describes what you see on this sidebar. After the top section, subsequent sections display supporting data. Some sections are displayed only if relevant data is available.

Top section

The top of the sidebar includes the following:

  • To close the sidebar, click the close icon icon.

  • To view the event in the Event profile page, click Details angle-right arrowhead . See Event Profile Page for more information.

  • If available, a brief description of the event is provided. It includes an explanation as to why the system flagged this event, identifies the threat or malware associated with this event, and briefly describes the detected activity.

Threat Details

This section includes the following information.

Threat Detail Name

Description

Threat

Name of the detected security risk.

Threat Class

Name of the detected security risk class.

Event Detector

The name of the event detector. Click the link to view the Detector pop-up window. See Detector Documentation Pop-Up Window for details.

If there is no detector for the event, this section is not shown.

Impact

The impact value indicates the critical level of the detected threat and ranges from 1-100

  • Threats that are 70 or above are considered to be critical.

  • Threats that are between 30-69 are considered to be medium-risk.

  • Threats that are between 1-29 are considered to be benign.

Action

A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).

Outcome

The outcome of the event. In most cases, this is Detection.

For Info events and events that were promoted from Info status, an additional label provides the reason for its status/status change. A pop-up window is displayed when you hover over the label, providing additional details about the reason.

First Seen Last Seen

A graph with the timestamp from when the evidence was first and last seen.

The Duration information is displayed below the graph.

Event traffic

The Event traffic widget provides an overview of the traffic observed between the hosts involved in the event. At least one host involved in the event is a monitored host. The communicating host can be a monitored host or an external system. A link to view the Captured traffic is displayed, if the data is available.

The arrow indicates the traffic direction between the hosts.

For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, home icon , or network icon might be displayed. More than one might be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. If available, click whois icon to view host details in the WHOIS pop-up window.

Event evidence

The Event evidence section lists various actions observed while analyzing the event. For more details, click the Event details link to view the Event evidence.

Actions include Signature, Reputation, Unusual behavior, File download, URL path match, Verification, Anomaly, and so on. If provided, click the link to view the corresponding Detector pop-up window A Confidence value is displayed for each action.

Malware identification

If the NSX Malware Prevention application is activated, a summary of the detected malware is displayed. For more details, click the Analyst report right angle arrowhead link to view the Analysis report. See Using the Analysis Report for more information.

Detail Name

Description

Antivirus Class

A label defining the antivirus class of the downloaded file.

Antivirus Family

A label defining the antivirus family of the downloaded file.

Malware

A label defining the malware type of the downloaded file. If the label has a tag icon icon, you can click it for a pop-up description.

Behavior Overview

The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more down arrowhead to view more. Toggle it closed again by clicking Collapse for less up arrowhead.

Event URLs

The Event URLs section displays all the URLs detected in the event. This section appears only if the event is associated to a URL

Event metadata

The Event metadata section displays the following data.

Data Name

Description

Related Incident

Click link icon to view the related incident, if one is available.

Connections

The number of connections included in the event.

Related Campaign

Click link icon to view the related campaign, if one is available.